feat: configuration for inferring NVD fix versions

Signed-off-by: Weston Steimel <[email protected]>
anchore · Oct 16, 2024 · 6dcb320 · 6dcb320
1 parent 0cd597b
commit 6dcb320
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 8 deletions.
diff --git a/cmd/grype-db/cli/options/build.go b/cmd/grype-db/cli/options/build.go
@@ -23,9 +23,10 @@ type Build struct {
 
 func DefaultBuild() Build {
 	return Build{
-		DBLocation:     DefaultDBLocation(),
-		SkipValidation: false,
-		SchemaVersion:  process.DefaultSchemaVersion,
+		DBLocation:          DefaultDBLocation(),
+		SkipValidation:      false,
+		SchemaVersion:       process.DefaultSchemaVersion,
+		InferNVDFixVersions: true,
 	}
 }
 

diff --git a/pkg/process/build.go b/pkg/process/build.go
@@ -102,7 +102,7 @@ func getProcessors(cfg BuildConfig) ([]data.Processor, error) {
 	case grypeDBv4.SchemaVersion:
 		return v4.Processors(), nil
 	case grypeDBv5.SchemaVersion:
-		return v5.Processors(v5.NewConfig(v5.WithOSCPEsIncluded(cfg.IncludeOSCPEs))), nil
+		return v5.Processors(v5.NewConfig(v5.WithOSCPEsIncluded(cfg.IncludeOSCPEs), v5.WithInferNVDFixVersions(cfg.InferNVDFixVersions))), nil
 	default:
 		return nil, fmt.Errorf("unable to create processor: unsupported schema version: %+v", cfg.SchemaVersion)
 	}

diff --git a/pkg/process/v5/processors.go b/pkg/process/v5/processors.go
@@ -22,6 +22,12 @@ func WithOSCPEsIncluded(included bool) Option {
 	}
 }
 
+func WithInferNVDFixVersions(infer bool) Option {
+	return func(cfg *Config) {
+		cfg.NVD.InferNVDFixVersions = infer
+	}
+}
+
 func NewConfig(options ...Option) Config {
 	var cfg Config
 	for _, option := range options {

diff --git a/pkg/process/v5/transformers/nvd/transform.go b/pkg/process/v5/transformers/nvd/transform.go
@@ -22,7 +22,8 @@ import (
 )
 
 type Config struct {
-	IncludeOSCPE bool
+	IncludeOSCPE        bool
+	InferNVDFixVersions bool
 }
 
 func Transformer(cfg Config) data.NVDTransformer {
@@ -82,7 +83,7 @@ func transform(cfg Config, vulnerability unmarshal.NVDVulnerability) ([]data.Ent
 			PackageName:       grypeNamespace.Resolver().Normalize(p.Product),
 			Namespace:         entryNamespace,
 			CPEs:              orderedCPEs,
-			Fix:               getFix(matches),
+			Fix:               getFix(matches, cfg.InferNVDFixVersions),
 		})
 	}
 
@@ -118,7 +119,13 @@ func getVersionFormat(name string, cpes []string) version.Format {
 	return version.UnknownFormat
 }
 
-func getFix(matches []nvd.CpeMatch) grypeDB.Fix {
+func getFix(matches []nvd.CpeMatch, inferNVDFixVersions bool) grypeDB.Fix {
+	if !inferNVDFixVersions {
+		return grypeDB.Fix{
+			State: grypeDB.UnknownFixState,
+		}
+	}
+
 	possiblyFixed := strset.New()
 	knownAffected := strset.New()
 	unspecifiedSet := strset.New("*", "-", "*")

diff --git a/pkg/process/v5/transformers/nvd/transform_test.go b/pkg/process/v5/transformers/nvd/transform_test.go
@@ -1058,8 +1058,16 @@ func TestGetFix(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			fix := getFix(tt.matches)
+			fix := getFix(tt.matches, true)
 			assert.Equal(t, tt.expected, fix)
 		})
+
+		t.Run(tt.name+" don't infer NVD fixes", func(t *testing.T) {
+			fix := getFix(tt.matches, false)
+			assert.Equal(t, grypeDB.Fix{
+				Versions: nil,
+				State:    "unknown",
+			}, fix)
+		})
 	}
 }